https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122636#M33066 <P>OK - This is what worked:<BR /><BR /> <PRE>| eval ip=if(enc_ip&lt;1,enc_ip+2147483648,enc_ip) | eval aaa=floor(ip/16777216) | eval bbb=floor((ip-aaa\*16777216)/65536) | eval ccc=floor((ip-(aaa\*16777216+bbb\*65536))/256)| eval ddd=ip-(aaa\*16777216+bbb\*65536+ccc\*256) | eval ipv4=tostring(ddd)+"."+tostring(ccc)+"."+tostring(bbb)+"."+tostring(aaa)</PRE></P> <P>I adapted this from <A href="http://answers.splunk.com/answers/38750/how-to-convert-ip" target="_blank">http://answers.splunk.com/answers/38750/how-to-convert-ip</A></P> Mon, 28 Sep 2020 15:08:44 GMT wbfoxii 2020-09-28T15:08:44Z https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122634#M33064 <P>I've got a log that includes an obfuscated IP address. The source takes dotted decimal, reverses the order of the octets, converts them to binary, concatenates them, and then converts to decimal.</P> <P>For example:<BR /> 10.9.8.7 is turned around:<BR /> 7 8 9 10<BR /> Then the octets are changed to binary:<BR /> 00000111 00001000 00001001 00001010<BR /> Then all smashed together:<BR /> 00000111000010000000100100001010<BR /> Then converted to a decimal number:<BR /> 117967114<BR /> And that's what I get in the log. Are there any fun tools in Splunk that would help? If the set were limited, I could just use a lookup table.</P> Wed, 30 Oct 2013 17:27:47 GMT https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122634#M33064 wbfoxii 2013-10-30T17:27:47Z https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122635#M33065 <P>You could write a script to evaluate the obfuscated data - here is something similar from a Splunk blog post:</P> <P><A href="http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/">http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/</A></P> Wed, 30 Oct 2013 17:45:15 GMT https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122635#M33065 lukejadamec 2013-10-30T17:45:15Z https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122636#M33066 <P>OK - This is what worked:<BR /><BR /> <PRE>| eval ip=if(enc_ip&lt;1,enc_ip+2147483648,enc_ip) | eval aaa=floor(ip/16777216) | eval bbb=floor((ip-aaa\*16777216)/65536) | eval ccc=floor((ip-(aaa\*16777216+bbb\*65536))/256)| eval ddd=ip-(aaa\*16777216+bbb\*65536+ccc\*256) | eval ipv4=tostring(ddd)+"."+tostring(ccc)+"."+tostring(bbb)+"."+tostring(aaa)</PRE></P> <P>I adapted this from <A href="http://answers.splunk.com/answers/38750/how-to-convert-ip" target="_blank">http://answers.splunk.com/answers/38750/how-to-convert-ip</A></P> Mon, 28 Sep 2020 15:08:44 GMT https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122636#M33066 wbfoxii 2020-09-28T15:08:44Z https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122637#M33067 <P>Very clever.</P> Wed, 30 Oct 2013 18:31:21 GMT https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122637#M33067 lukejadamec 2013-10-30T18:31:21Z https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122638#M33068 <P>One question, which is the source field, i mean, the field with the decimal IP? enc_ip?</P> Fri, 05 Jun 2015 15:41:43 GMT https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122638#M33068 changux 2015-06-05T15:41:43Z https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122639#M33069 <P>What if you want to match the ip against another CSV file to see if it falls in the range?<BR /> looks like this<BR /> (( 3743019008, -----&gt; this is actually 223.25.240.0 if converted to IP format<BR /> 3743020031, -----&gt; range end 223.25.243.255<BR /> '<A href="http://thegigabit.com/'">http://thegigabit.com/'</A>),</P> Sat, 23 Dec 2017 19:45:25 GMT https://community.splunk.com/t5/Splunk-Search/Converting-an-encoded-IP-address-to-dotted-decimal/m-p/122639#M33069 spark2310 2017-12-23T19:45:25Z